GNIP 87: Reduce information returned to users to only what is strictly required and accessible

[marthamareal]

GNIP - Users information leak

Overview

Currently

1. GeoNode's /owners API endpoint returns the full list of users, including their personal information (!!!!). Also it returns users with no resources.
2. The evaluation of visible resources depends on the following conditions.

Proposed By

@marthamareal
@giohappy

Assigned to Release

This proposal is for GeoNode .

State

• Under Discussion
• In Progress
• Completed
• Rejected
• Deferred

Motivation

Details about the motivations. Why people should accept this proposal. What are the benefits compared to the current situation.

Proposal

1. Return only owners with resources a user can access in owners api and fields(id and username ) for non-admin users
2. Remove the dependence of these conditions on the evaluation of allowed_ressources.

Backwards Compatibility

Declare its Backwards Compatibility.

Future evolution

Explain which could be future evolutions.

Feedback

Update this section with relevant feedbacks, if any.

Voting

Project Steering Committee:

• Alessio Fabiani +1
• Francesco Bartoli:
• Giovanni Allegri: +1
• Simone Dalmasso:
• Toni Schoenbuchner: +1
• Florian Hoedt: +1

Links

Remove unused links below.

• Email Discussion
• Pull Request
• Mail Discussion
• Linked Issue

[gannebamm]

Is this is GNIP, or a bugfix? I do not think we have to make formal decisions here, do we?

[afabiani]

This is a bugfix IMHO or at least an enhancement. It smells like a security issue to me.

[giohappy]

@gannebamm @afabiani I asked @marthamareal to change it into a GNIP becasue the proposal is to change the responses returned by the API (and the contents displayed in the user pages).
It's not a bugfix by itself. There could be good reasons to have the full info returned, but we want to change it since it can be a security issue.

[giohappy]

the following two points are particularly relevant:

1. Here we filter out any resource the user doesn't have access to, independently from the advanced workflow. The filtering was applied only in case either ADMIN_MODERATE_UPLOADS, RESOURCE_PUBLISHING or GROUP_PRIVATE_RESOURCES were true before. @afabiani I see you added a commit for this condition within this commit. You titled it as an optimization, but I think that the filter set by @marthamareal should also be fine from the point of view of performances.
2. Here we stop returning items with count==0. This affects any endpoint, nor only the owners endpoints. I think it makes sense to avoid returning information that the user souldn't reach in any case.

[t-book]

my +1 a very welcome fix!

[afabiani]

@giohappy @marthamareal for the next time, the GNIPs have some special rules:

1. You need to assign a number to the GNIP accordingly to this list, and report the number on the title
2. You need to add the GNIP to the wiki and update the status accordingly

[afabiani]

This is actually a regression, my fault. Thanks for spotting this out.